Add role for external users

[toupeira]

My Rocket.Chat version: 0.28

I'm trying to add a new "guest" role for external users, they should only be able to see channels they were explicitly added to by internal users, and have normal access to DMs/private groups. If the role doesn't have any permissions at all, I can view channels I'm a member of by their direct URL, but they don't show up in the sidebar. If I give the view-c-room permission they will see all channels, which I'd like to avoid.

I think it would make sense for the channel list to always be displayed if the user has assigned channels, independently of their permissions. Longer term it would also be nice to have a visibility setting on each room ("Public" / "Internal") and separate view-public-c-room / view-internal-c-room permissions, and have a "guest" role shipping by default.

Or maybe this is already doable with the current room-level permissions and I'm just not seeing it?

[GezimSejdiu]

Hi, Rocket.Chat team,
I am facing the same problem here.
Since we have a lot external collaboration, and we need to have some private channel for ongoing papers/project where we need to invite externals guest to join the room.
I have created a new Role : one-channel-guest with Scope: Rooms and assigned a specific user to the private room.
Note: Since by default user is part of user role its inherit all privileges from a user role. I have tried to remove 'guest' from 'user' role, but still, it is not working.
Is there ant different way of assigning a guest user to have access only on Single-Channel Guest (like Slack has).
Best regards

Updated: It works. Just remove 'guest user' from 'user' role and add to one-channel-guest with Scope : General. Which has only one option checked view - p - room.

[toupeira]

Looks like this was solved with the new view-joined-room permission!

I now have a guest role which only sees their joined channels and also can direct-message other users, using the following permissions:

• create-d
• mention-all
• view-d-room
• view-joined-room

Direct links to unjoined channels also correctly show an error message now.

[borismedovnik]

The above solution works great for external users that are added to rocket chat for specific rooms, however there's one tiny issue. By clicking + button to open the "Create room" dialog, or by clicking Add Users - the user with "view-joined-room" permission is able to enumerate all users in the system by typing characters in the user input box, even though that user can't actually create a room or add other users. This is the only data leak that happens in an otherwise good solution for bringing external users to rocket chat with limited access.

Is it possible to prohibit seeing user input textbox/dialog if the user doesn't actually have permission to create new channels or add users.

[tuxmartin]

@borismedovnik yes, it is problem. Guest can see all other users :-(

[borismedovnik]

This is a tiny issue however it makes it impossible to use chat in environments where users from different teams (i.e. customers) are not supposed to see each other. Maybe there can be an easy fix to this, e.g. prevent enumeration for people with only "view-joined-room" permission?

[Riz-waan]

@borismedovnik Please create a new opened issue for that.